$65 Million Settlement Agreed in Lehigh Valley Health Network Data Breach Lawsuit
A massive settlement has been agreed upon by counsels for the plaintiffs and defendants in a lawsuit against Lehigh Valley Health Network (LVHN) over a 2023 ransomware attack by the ALPHV/Blackcat ransomware group. The $65 million settlement is believed to be the largest ever per capita settlement in a U.S. class action data breach lawsuit.
Ransomware attacks typically involve data theft as well as file encryption. If the ransom is not paid, the stolen data is added to the ransomware groupโs data leak site where it can be downloaded by anyone, as was the case with the ransomware attack on LVHN. In this case, the stolen data included nude images of patients, hence the sizable settlement.ย The ransomware attack was detected by LVHN on February 6, 2023, and later that month, LVHN confirmed that the Blackcat group was behind the attack and had stolen patient data including some nude images of patients. According to LVHN, the photographs were clinically appropriate and were stored in a system on a network used by an unnamed physician practice in Lackawanna County in Pennsylvania.
Blackcat issued a ransom demand, and when payment wasnโt made, started to leak some of the photographs on its dark web data leak site to increase the pressure on LVHN to pay the ransom. The ransom was not paid, despite the threat of the remaining data being leaked on the dark web. LVHN stated that the advice of the Federal Bureau of Investigation (FBI) was not to pay the ransom, since there is no guarantee that the attackers will delete the stolen data.
One of the affected individuals took the brave decision to take legal action against LVHN over the ransomware attack. While that patient was able to remain anonymous โ the lawsuit was filed using the name Jane Doe โ settlements are not always agreed, which would mean the lawsuit would proceed to a jury trial.ย The lawsuit was filed by attorneys Simon B. Paris and Patrick Howard of the law firm Saltz, Mongeluzzi, & Bendesky, P.C., and asserted claims of negligence for failing to implement reasonable and appropriate cybersecurity measures to protect against a known risk of cyberattacks, a violation of HIPAA, breach of fiduciary duty, breach of implied contract, breach of confidence, and publicity given to private life.
LVHN was criticized for its decision not to pay the ransomware group to prevent the publication of the stolen data when it was clear that the ransomware group would do just that. The attorneys for the plaintiff and class claimed that while LVHN was publicly patting itself on the back for standing up to the hackers by refusing to pay the ransom, they consciously and intentionally ignored the real victims in the attack and put their own financial considerations before the best interests of the patients. The lawsuit alleged the plaintiffs and class faced embarrassment and humiliation as a result of the publication of their photographs, and the release of sensitive data such as names, addresses, dates of birth, diagnosis and treatment information, health insurance information, and Social Security numbers has put them at risk of identity theft and fraud.
The settlement was agreed to avoid the uncertainty of a jury trial, with LVHN maintaining there was no wrongdoing and disputing that the plaintiff and class had a valid claim.ย The attorneys for the plaintiff and class will receive one-third of the settlement amount and after expenses have also been deducted, the remainder will be paid the class. The lead plaintiff will receive an award of $125,000, and approximately 135,000 class members will receive compensation based on the extent to which they have been harmed.
All individuals affected by the data breach will receive an estimated payment of around $50. If their information was stolen and posted online they will receive around $1,000, around $7,500 will be paid to individuals who had non-nude photographs posted online, and individuals who had nude photographs posted online are expected to receive between $70,000 and $80,000 as compensation. Claims may also be submitted to recover out-of-pocket expenses incurred due to the data breach up to a maximum of $5,000.
To preserve their anonymity, class members have been provided with a unique identifier to allow them to check which compensation tier they have been assigned to, and class members need do nothing to receive payment. A check will be given to them without having to submit a claim.
Class members may choose to opt out of or object to the settlement and must do so by November 3, 2024, if they choose to do so, claims must be submitted by October 21, 2024, and the final fairness hearing is scheduled for November 15, 2024. If approved by a judge, checks should be provided to the plaintiffs in early 2025.